The Devil, Eight Million Emails, and a Whole Lot of Milk

216.73.217.22

The Devil, Eight Million Emails, and a Whole Lot of Milk | Phishing Stager Exposed

· Published 15/06/2026 16:53 · Modified 15/06/2026 17:15

Essential information

Published: 15/06/2026 16:53
Modified: 15/06/2026 17:15
Source / Author: AlienVault
Confidence: 100/100
Report type(s): threat-report
Labels / Tags: bulk email abuse compromised government website credential theft payment card harvesting phishing campaign rdweb portal romanian threat actor terminal server compromise
Tags: 2026-06-15 bulk email abuse compromised government website credential-theft payment card harvesting phishing campaign rdweb portal romanian threat actor terminal server compromise
Related entities: 14 indicators, 14 observables, 16 techniques (mitre), 5 others

Description

On May 15, 2026, Huntress agents detected an intrusion where threat actors compromised a terminal server to stage a massive phishing campaign rather than deploy ransomware. The attacker used legitimate bulk email software (Gammadyne Mailer) with a project file named 'dracii' (Romanian for 'the devils') and six recipient lists containing 8,894,920 email addresses. Operating from Romanian IP addresses, the actor impersonated UK pharmacy chain Boots through a fake customer satisfaction survey designed to harvest personal and payment card data. The phishing kit was hosted on a compromised Bolivian government website (ipelc.gob.bo), which Huntress reported to Bolivia's national CSIRT. The campaign used direct-to-MX delivery to bypass mail relays, with the mailer configured to send from 666 threads simultaneously. Evidence suggests this Romanian operator has been running multiple UK-targeting campaigns since at least July 2025, rotating between retail, tax, and cryptocurrency themes.